Merge pull request vavkamil#88 from vavkamil/vavkamil/ci

vavkamil · web-flow · commit 5488f75bb2c7 · 2026-03-26T11:19:51.000+01:00
chore(security): Pin deps to hash &amp; unify CI templates
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -11,7 +11,7 @@ updates:
     assignees:
       - "vavkamil"
     cooldown:
-      default-days: 7
+      default-days: 14
 
   - package-ecosystem: "github-actions"
     directory: "/"
@@ -22,4 +22,4 @@ updates:
     assignees:
       - "vavkamil"
     cooldown:
-      default-days: 7
+      default-days: 14
diff --git a/.github/workflows/security-zizmor.yml b/.github/workflows/security-zizmor.yml
@@ -1,6 +1,6 @@
 # https://github.com/woodruffw/zizmor
 
-name: Security
+name: Security - zizmor
 
 on:
   push:
@@ -12,23 +12,27 @@ on:
 
 permissions: {}
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
   zizmor:
-    # name: zizmor via PyPI
-    runs-on: ubuntu-latest
+    # name: zizmor latest via PyPI
+    runs-on: ubuntu-slim
     permissions:
       contents: read
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6.0.2 # zizmor: ignore[unpinned-uses]
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
       - name: Set up Python
-        uses: actions/setup-python@v6 # zizmor: ignore[unpinned-uses]
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
-          python-version: '3.10.4'
+          python-version-file: '.python-version'
 
       - name: Install Zizmor
         run: |
diff --git a/.github/workflows/stargazers.yml b/.github/workflows/stargazers.yml
@@ -7,6 +7,10 @@ on:
 
 permissions: {}
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
   check-new-links:
     runs-on: ubuntu-latest
@@ -15,7 +19,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6.0.2 # zizmor: ignore[unpinned-uses]
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
           persist-credentials: false
diff --git a/.python-version b/.python-version
@@ -0,0 +1 @@
+3.14.3
diff --git a/requirements.txt b/requirements.txt
@@ -1 +1 @@
-zizmor==1.22.0
+zizmor==1.23.1
